@LOCKED Ransomware

The @LOCKED Ransomware is a file-locker Trojan that's an update of the Unlock92 Ransomware. Most versions of this family use direct data encryption for blocking different media files on your PC, as well as creating ransoming messages in various formats, such as Notepad's TXT. Giving in to the ransom demand doesn't give you a decryptor in return necessarily, and victims of these attacks should have their anti-malware solutions remove the @LOCKED Ransomware before using backups or free decryption services for their data recovery needs.

The Latest in Data Sabotage for Russian PC Owners

Russia's once-singular place of being a haven against the average file-locker Trojan's campaign is becoming more and more of a past event as malware researchers collect ongoing evidence of file-locking attacks from a variety of directions. One of the newest comes from what's classifiable as a variant of the small Unlock92 Ransomware family, whose distribution, much like that of the Scarab Ransomware, often, but not exclusively, targets Russia-based servers. Its attacks remain similar to those of the majority of old versions of the same program: using non-consensual encryption to block data and ransoming the decryption service.

Unlike the Unlock92 Zipper Ransomware, the ZIP-archive-abusing Trojan that was one of the most divergent updates to this family, the @LOCKED Ransomware uses a direct data-encrypting routine that's typical for most file-locker Trojans. Similarly to the Gedantar Ransomware, the Naampa Ransomware, or the Unlckr Ransomware, which also are familial members, the @LOCKED Ransomware depends on an RSA-2048 encryption process that runs in the background and blocks everything from text documents to CD media and graphical projects. It also replaces filenames with semi-random characters and adds a '@LOCKED' string for a replacement extension.

Most versions of the @LOCKED Ransomware's family use a desktop wallpaper-hijacking feature for displaying at least part of their ransoming messages. Malware experts can't confirm whether or not the @LOCKED Ransomware keeps that feature, but they do verify the presence of Notepad-based warnings with the relevant ransoming instructions. Threat actors do, frequently, withhold their decryption help even after a victim pays, however, and any users without backups should test every other solution first.

Winding Down the Season of September Trojans

Due to the @LOCKED Ransomware's campaign being administrated by what may be a new team of threat actors, it's unknown whether business networks, governments, NGOs, or random, recreational PC users are at most risk from its current infection strategies. File-locker Trojans tend towards distribution methods that exploit network and login credential-based vulnerabilities, such as bad passwords. However, criminals may be tricking victims into infecting their computers by opening corrupted files, of which, e-mail-attached documents are a very typical example.

There is a freeware decryption program available, which is compatible with many, if not necessarily all versions of the Unlock92 Ransomware family. Users can test spare copies of any blocked media with this tool for determining their chances of recovering any content freely. Malware experts strongly recommend always keeping secure backups for circumstances where a decryptor isn't available, however, along with anti-malware products that should delete the @LOCKED Ransomware before its encryption routine begins.

Already, Russian-based server administrators have numerous reasons for caring about the integrity of their logins, along with any potential abuses of their RDP and firewall settings. Regrettably, at least one threat actor is feeling it worth the effort to give them one more by way of the @LOCKED Ransomware.